Security Events in WinCC OA

SectionDescription
ACCOUNT MANAGEMENT Log messages for Account Management (password and account changes, session and connection timeout)
COMMUNICATION INTEGRITY Log messages for communication and connection events (Manager connection)
NETWORK AND SECURITY CONFIGURATION SETTINGS Log messages for network and security configuration settings (http and proxy messages, authorization configuration changes)
USER IDENTIFICATION AND AUTHENTICATION Log messages for IACS User Identification and Authentication (login and OS authentication)

Security Events Information

Security Events Description

A general description of the structure of security events and the severity of the contained information.

Event Log Message Elements

The description of the dedicated security event log messages contain following elements:

ID
The unique ID of an event.
Example
An example log message to demonstrate the structure and content of the specific log message event.
Symbolic Structure

Each log message contains following elements:

Element Description
Source The manager that sent the log message. Contains the type of manager as well as the manager ID.
Time Stamp Time information to indicate when the log message was written to the log.
Category Message category
Type The severity of the raised log messages, see Severity.
EventID ID of the event, as used within the _errors.cat file. If the event message is defined within a different catalogue file, it is also stated with the EventID, e.g. 17/OaLogin for the SE_ACCOUNT_DISABLED event.
Log Message The actual message of the log entry, containing information or details about events or errors that occurred.
Additional Details
Information that elaborates on the content of the log message. Contains, for example, information about specific elements of the error message, which are dynamically added.
Test Information (optional)
To validate if specific events are correctly recognized within your system, this section of the Security Events in WinCC OA provides steps or details on how to trigger the log message and therefore test your system against these steps.

Severity

Fatal

Represents critical failures that will stop the whole manager or even project.

For example: “S7 driver cannot be started” or “Corrupt table structure in project configuration database”

Severe

A software problem that the system cannot handle, but can continue to operate around with limited functionality. This can be caused e.g., by environment problems (e.g. missing resources) or internal programming errors. Severe issues should not occur in released product versions, but if they occur, they are valuable hints for analysis.

For example: “License not found, using demo license instead”, “Unable to create/persist alert” “Unable to load last values from DB”

Note: Errors, which the system can handle (e.g. “Wrong time-format used, using default values instead”, “NULL time occurred in DB record, using default value instead”) are usually classified as warnings (see below).
Warning

A smaller disturbance that the system can handle per design and has no major effect on usability.

For example: “Connection to PLC is lost, attempting to reconnect”, “Wrong time-format used, using default values instead”, “NULL time occurred in DB record”

Info

Stands for information.

For example: “Connection with PLC was established”, “Listening on port 1234”, “Manager stop”

ACCOUNT MANAGEMENT

Log messages for Account Management (password and account changes, session and connection timeout)

Area permission created

This event appears when an area permission was successfully created.
ID
SE_AREA_PERMISSION_CREATED
Example
WCCOActrl (1), 2023.11.02 13:17:25.888, PARAM,INFO, 26/OaLogin, Area permission created, Area Permission: MyAreaPermission
Table 1. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO26/OaLoginArea permission created, Area Permission: {AREA PERMISSION}
Additional Details
  • {AREA PERMISSION}: Area permission name
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group or select an existing one in User administration panel
  5. Create an area permission

Area permission deleted

This event appears when an area permission was successfully deleted.
ID
SE_AREA_PERMISSION_DELETED
Example
WCCOActrl (1), 2023.11.02 13:17:36.334, PARAM,INFO, 27/OaLogin, Area permission deleted, Area Permission: MyAreaPermission
Table 2. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO27/OaLoginArea permission deleted, Area Permission: {AREA PERMISSION}
Additional Details
  • {AREA PERMISSION}: Area permission name
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group or select an existing one in User administration panel
  5. Delete the area permission

User account added to group

This event appears when a user account was successfully added to a group.
ID
SE_USER_ACCOUNT_ADDED_TO_GROUP
Example
WCCOActrl (1), 2023.11.02 13:16:11.276, PARAM,INFO, 22/OaLogin, User account added to group, User: MyUser, Groups: root | operatorAll | operator
Table 3. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO22/OaLoginUser account added to group, User: {USER}, Groups: {GROUPS}
Additional Details
  • {USER}: Name of the user account
  • {GROUPS}: Added groups associated with the user account
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group or select an existing one in User administration panel
  5. Change association of the user user and its groups

User account deleted

This event appears when a user account was deleted.
ID
SE_ACCOUNT_DELETED
Example
WCCOActrl (1), 2023.10.01 10:29:13.655, PARAM, INFO, 18/OaLogin, User account testUser(8) has been deleted.
Table 4. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl ({MANAGER NO}){log time}PARAMINFO18/OaLoginUser account {USER NAME}({USER ID}) has been deleted.
Additional Details
  • {MANAGER NO}: Manager number of manager running the command channel
  • {USER NAME}: Name of the user account
  • {USER ID}: Internal ID of the user account
The system reports that a user account was deleted.
Test Information
  1. Open the User Administration
  2. Select user, and click on the "Delete" button

User account deleted from group

This event appears when a user account was successfully deleted from a group.
ID
SE_USER_ACCOUNT_DELETED_FROM_GROUP
Example
WCCOActrl (1), 2023.11.02 13:16:26.165, PARAM,INFO, 23/OaLogin, User account deleted from group, User: MyUser, Groups: operatorAll | operator
Table 5. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO23/OaLoginUser account deleted from group, User: {USER}, Groups: {GROUPS}
Additional Details
  • {USER}: Name of the user account
  • {GROUPS}: Deleted groups associated with the user account
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group or select an existing one in User administration panel
  5. Change association of the user user and its groups

User account disabled

This event appears when a user account was disabled.
ID
SE_ACCOUNT_DISABLED
Example
WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 17/OaLogin, User account testUser(8) has been disabled.
Table 6. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl ({MANAGER NO}){log time}PARAMINFO17/OaLoginUser account {USER NAME}({USER ID}) has been disabled.
Additional Details
  • {MANAGER NO}: Manager number running command channel script
  • {USER NAME}: Name of the user account
  • {USER ID}: Internal ID of the user account
The system reports that a user account was disabled.
Test Information
  1. Open the User Administration
  2. Select user, and click on the "Deactivate" button

User account enabled

This event appears when a user account was enabled.
ID
SE_ACCOUNT_ENABLED
Example
WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 16/OaLogin, User account testUser(8) has been enabled.
Table 7. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl ({MANAGER NO}){log time}PARAMINFO16/OaLoginUser account {USER NAME}({USER ID}) has been enabled.
Additional Details
  • {MANAGER NO}: Manager number for command channel script
  • {USER NAME}: Name of the user account
  • {USER ID}: Internal ID of the user account
The system reports that a user account was enabled.
Test Information
  1. Open the User Administration
  2. Click on the "Activate" button
  3. Select user, and click on the "Activate" button

User group created

This event appears when a new user group was successfully created.
ID
SE_USER_GROUP_CREATED
Example
WCCOActrl (1), 2023.11.02 13:15:02.115, PARAM,INFO, 19/OaLogin, User group created, Group: MyGroup
Table 8. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO19/OaLoginUser group created, Group: {GROUP}
Additional Details
  • {GROUP}: Name of the successfully created user group
This event indicates whether the user group was successfully created.
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group in User administration panel

User group deleted

This event appears when a new user group was successfully deleted.
ID
SE_USER_GROUP_DELETED
Example
WCCOActrl (1), 2023.11.02 13:15:17.960, PARAM,INFO, 20/OaLogin, User group deleted, Group: MyGroup
Table 9. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO20/OaLoginUser group deleted, Group: {GROUP}
Additional Details
  • {GROUP}: Name of the successfully deleted user group
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Delete a new user group in User administration panel

user group permission changed

This event appears when permission for a user group was successfully changed.
ID
SE_USER_GROUP_PERMISSION_CHANGED
Example
WCCOActrl (1), 2023.11.02 13:15:39.016, PARAM,INFO, 21/OaLogin, User group permission changed, Group: MyGroup, Authorization level: 00000000000000000000000101010101
Table 10. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (1){log time}PARAMINFO21/OaLoginUser group permission changed, Group: {GROUP}, Authorization level: {AUTHORIZATION_LEVEL}
Additional Details
  • {GROUP}: Name of the user group
  • {AUTHORIZATION_LEVEL}: Name permission for user group
Test Information
  1. 1. Open WinCC OA administrator
  2. 2. Create a new project or select an existing one
  3. 3. Start WinCC OA console
  4. 4. Create a new user group or select an existing one in User administration panel
  5. 5. Change permission for selected user group

User password changed

This event appears when a password of a user account was changed.
ID
SE_ACCESS_PWD_CHANGED
Example
WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 15/OaLogin, Password of user testUser(8) has been changed.
Table 11. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl ({MANAGER NO}){log time}PARAMINFO15/OaLoginPassword of user {USER NAME}({USER ID}) has been changed.
Additional Details
  • {MANAGER NO}: Manager number running the command chanel script
  • {USER NAME}: Name of the user account
  • {USER ID}: Internal ID of the user account
The system reports that the password of a user account has been changed.
Test Information
  1. Open the User Administration
  2. Select user, and open the User characteristics panel
  3. Set password using the "Password" button on the panel

Workstation permission created

This event appears when a workstation permission was successfully created.
ID
SE_WORKST_PERMISSION_CREATED
Example
WCCOAui (1), 2023.11.02 13:16:50.941, PARAM,INFO, 24/OaLogin, Workstation permission created, Workstation: MyWorkstationPermission, Group: MyGroup, Authorization level: 11111111 11111111 11111111 11111110
Table 12. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOAui (1){log time}PARAMINFO24/OaLoginWorkstation permission created, Workstation: {WORKSTATION}, Group: {GROUP}, Authorization level: {AUTHORIZATION_LEVEL}
Additional Details
  • {WORKSTATION}: Name of the workstation permission
  • {GROUP}: Name of the user group
  • {AUTHORIZATION_LEVEL}: Name permission for user group
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group or select an existing one in User administration panel
  5. Create the new workstation permission

Workstation permission deleted

This event appears when a workstation permission was successfully deleted.
ID
SE_WORKST_PERMISSION_DELETED
Example
WCCOAui (1), 2023.11.02 13:17:06.806, PARAM,INFO, 25/OaLogin, Workstation permission deleted, Workstation: MyWorkstationPermission, Group: MyGroup
Table 13. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOAui (1){log time}PARAMINFO25/OaLoginWorkstation permission deleted, Workstation: {WORKSTATION}
Additional Details
  • {WORKSTATION}: Name of the workstation permission
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Create a new user group or select an existing one in User administration panel
  5. Delete the workstation permission

_auth config has been changed

This message indicates changes to an _auth config for an internal data-point.
ID
SE_AUTHCONFIG_CHANGED
Example
WCCILevent (0), 2023.11.15 15:08:17.696, SYS, INFO, 255, _auth config for System1:_Users.:_auth._default._read has been changed
Table 14. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCILevent (0){log time}SYSINFO255_auth config for {NAME} has been changed
Additional Details
  • {NAME}: Name of the data-point and config that were changed

This event is issued when changing an _auth config (adding _auth config, removing _auth config, changing access rights/permissions) of an internal (that is for WinCC OA system relevant) data point.

Access rights can be applied to following configs:

  • _address
  • _alert
  • _alert_class
  • _alert_hdl
  • _archive
  • _cmd_conv
  • _corr
  • _default
  • _distrib
  • _dp_fct
  • _general
  • _lock
  • _logger
  • _msg_conv
  • _original
  • _pv_range
  • _smooth
  • _u_range
Test Information

Open PARA and select the _Users data-point. Select the _auth config and change something and click Apply/OK.

COMMUNICATION INTEGRITY

Log messages for communication and connection events (Manager connection)

Start Manager

This event appears as first message when a WinCC OA manager was started.
ID
SE_MANAGER_START
Example
WCCOActrl (2), 2023.03.14 12:18:20.232, SYS, INFO, 1, Manager Start, PROJ, SecurityEvents3.20, V 3.20 - 3.20 final platform Windows AMD64 linked at Feb 8 2023 08:27:48 (a0f2bb6075f)
Table 15. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
{MANAGER TYPE} ({MANAGER NO}){log time}SYSINFO1Manager Start, PROJ, {project name}, V {version} platform {platform} linked at {linked date} ({commit id})
Additional Details
  • {MANAGER TYPE}: Type of manager, e.g. WCCOActrl or WCCOAevent
  • {MANAGER NO}: Manager number
The Manager Start event message delivers multiple information about the module version, patch and link information.

It indicates the start of one of the manager components (e.g. Data Manager, Event Manager, Control Manager, etc.). Dependent on the project context multiple starts within short time (some minutes) can indicate a severe deviation like repeated crashes or unauthorized access with trial starts. The WCCOAdatabg (data background manager) is stopped and started at every online backup, so these messages do not indicate a deviation.

Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Start one manager (eg. WCCOAdata) manually

Start Proxy Manager

This event appears as first message when a WinCC OA proxy manager was started.
ID
SE_MXPROXY_START
Example
WCCILproxy (1), 2023.09.29 12:19:12.422, SYS, INFO, 220, Multiplexing proxy Start, PROJ, SecurityEvents3.20, V 3.20 - 3.20 final platform Windows AMD64 linked at Sep 29 2023 12:19:02 (29e85fd5be6)
Table 16. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCILproxy (1){log time}SYSINFO220Multiplexing proxy Start, PROJ, {project name}, V {version} platform {platform} linked at {linked date} ({commit id})
Additional Details

The Proxy Manager Start event message delivers multiple information about the module version, patch and link information.

This message indicates the start of the Proxy manager. It is similar to the Manager Start message but has an own Event ID.

Dependent on the project context multiple starts within short time (some minutes) can indicate a severe deviation like repeated crashes or unauthorized access with trial starts.
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Start Proxy manager manually

Stop Manager

This event appears as last message after a WinCC OA manager was stopped.
ID
SE_MANAGER_STOP
Example
WCCILdata (0), 2023.05.04 12:00:59.812, SYS, INFO, 2, Manager Stop
Table 17. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
{MANAGER TYPE} ({MANAGER NO}){log time}SYSINFO2Manager Stop
Additional Details
  • {MANAGER TYPE}: Type of manager, e.g. WCCOActrl or WCCOAevent
  • {MANAGER NO}: Manager number
This event indicates the regular stop of one of the manager components (e.g. Event Manager, Control Manager, etc.) and is written after cleanup of internal data and after termination of all its connections.

This event should be paired to its Manager Start event. A missing stop event indicates abnormal termination due to a crash or intentionally forced stop. The WCCOAdatabg (data background manager) is stopped and started at every online backup, so these messages don't indicate a deviation.

Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Start one manager (eg. WCCOAdata) manually
  5. Stop this manager (eg. WCCOAdata) manually with normal termination

Stop Proxy Manager

This event appears as last message when the WinCC OA Proxy manager was stopped.
ID
SE_MXPROXY_STOP
Example
WCCILproxy (1), 2023.09.29 12:20:04.892, SYS, INFO, 221, Multiplexing proxy Stop
Table 18. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCILproxy (1){log time}SYSINFO221Multiplexing proxy Stop
Additional Details
This event indicates the regular stop of the Proxy manager and is written after cleanup of internal data and after termination of all its connections.

This message is similar to the Manager Stop message but has an own Event ID.

This event should be paired to its Proxy Manager Start event. A missing stop event indicates abnormal termination due to a crash or intentionally forced stop.
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Start Data, Event and Proxy manager manually
  5. Stop Proxy manager manually with normal termination

NETWORK AND SECURITY CONFIGURATION SETTINGS

Log messages for network and security configuration settings (http and proxy messages, authorization configuration changes)

Audit configuration changed

This message is shown if a configuration entry was changed in the Security Events configuration.
ID
SE_AUDIT_CFG_CHANGED
Example
WCCILproxy (1), 2023.11.21 10:11:35.929, PARAM,INFO, 1/ContinuousMonitoring, Audit config entry changed, SE_LOGOFF ("Logoff") Security Log: TRUE
Table 19. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
{WCCOA Manager} ({manager number}){log time}PARAMINFO1/ContinuousMonitoringSecurity Events configuration entry changed
Additional Details
This event is issued by a WinCC OA manager when reloading a different config file in runtime. The event is not shown at manager start, only on config reload events. The event is shown by all the managers.

{DETAILS}: The details of the change

Test Information
How to force the SE_AUDIT_CFG_CHANGED event within a running WinCC OA project:

Change and save the configuration in the Security Events wizard.

Audit data saved

This message is shown if the configuration file was saved in the Security Events wizard.
ID
SE_AUDIT_DATA_SAVED
Example
WCCOAui (1), 2023.11.21 10:11:34.051, PARAM,INFO, 2/ContinuousMonitoring, Audit configuration was saved
Table 20. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOAui ({manager number}){log time}PARAMINFO2/ContinuousMonitoringSecurity Events configuration was saved
Additional Details
This event is issued by a WinCC OA Ui Manager when the user saves a config file in the Security Events wizard.
Test Information
How to force the SE_AUDIT_DATA_SAVED event within a running WinCC OA project:

Change and save the configuration in the Security Events wizard.

Authorized HTTP connect

This message indicates an authorized connection to the http(s) server.
ID
SE_HTTPAUTH_AUTH
Example
WCCOActrl (2), 2023.12.04 10:59:15.467, PARAM,INFO, 11/http, Authorized connect from para@md639abc.etm.net, /_info
Table 21. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (2){log time}PARAMINFO11/httpAuthorized connect from {user}@{peer host}, {uri}
Additional Details
  • {user}: User attempting connection
  • {peer host}: Host name of connecting peer
  • {uri}: Requested uri without query parameters
This event is logged from HTTP control extension that runs within the process of WinCC OA Control Manager. It indicates a connecting to the http(s) server. It shows the user, the hostname of the peer and the requestes uri. It delivers information for forensic about which users connnected to the http(s) server at which time and from which host.
Test Information

Login with valid credentials (login panel) while serverside authentication and httpAuth are activated.

Cannot find Host in Hostlist

This message indicates a connection attempt to a host where the configuration does not match.
ID
SE_CANNOT_FIND_HOST_IN_HOSTLIST
Example
WCCILproxy (1), 2024.04.04 15:33:06.201, PARAM,WARNING, 209, Cannot find the host in the list of the allowed-hosts: (8.8.8.8:4897)
Table 22. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCILproxy (1){log time}PARAMWARNING209Cannot find the host in the list of the allowed-hosts: ({HOSTNAME}:{PORT NUMBER})
Additional Details
  • {HOSTNAME}: Hostname of the server that the connection attempt should reach
  • {PORT NUMBER}: Port number that was opened for network communication (see TCP/IP protocol information)
This event is issued by the Proxy Manager if a remote manager tries in vain to connect to a server. For securing all connections the Proxy Manager can be configured so that only allowed server may be connected. It indicates an erroneous or malicious connection attempt from remote.
Test Information

Configure the project using config entry [general]mxProxy; try to connect to a server that has no corresponding proxy entry of its hostname in the server configuration file.

Certificate Chain Prefix mismatch

This message is shown if the client certificate does not fit to the required chain prefix.
ID
SE_CERTIFICATE_CHAIN_PREFIX_MISMATCH
Example
WCCOActrl (2), 2024.04.04 15:42:22.090, PARAM,SEVERE, 254, Required chainPrefix: root-cert, received: IOWA-CA;rsa.expired;.
Table 23. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (2){log time}PARAMSEVERE254Required chainPrefix: {PREFIX}, received: {BAD PREFIX}.
Additional Details
  • {PREFIX}: Required prefix
  • {BAD PREFIX}: Certificate prefix
This event is issued by a WinCC OA Client Manager in case of a mismatch between certificate issuer and configured chain prefix.

This event indicates an erroneous or malicious connection attempt from remote.

Test Information

Contact proxy from network using a certificate with a wrong issuer.

Certificate expired

This message is shown when the expire date of the certificate is in the past.
ID
SE_CERTIFICATE_EXPIRED
Example
WCCILproxy (1), 2024.04.05 10:05:03.447, PARAM,WARNING, 218, Certificate /C=AT/ST=Burgenland/O=ETM/OU=IOWA/CN=IOWA-CA/emailAddress=info@etm.at is expired.
Table 24. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
{WCCOA Manager or proxy} ({number}){log time}PARAMWARNING218Certificate {CERTIFICATE DETAIL} is expired.
Additional Details
{CERTIFICATE DETAIL}: detailed infos of the certificate

This event is issued by any of the WinCC OA processes (server, clients or Proxy) in case of a certificate that was not exchanged in time so that the current date exceeded the certificate expiration date. This event indicates an inattentive project security management.

Test Information

Connect event manager via network using a certificate that has the expire date set to a date in the past.

Certificate Verification failed

This message is shown at various certificate errors.
ID
SE_CERTIFICATE_VERIFICATION_FAILED
Example
WCCILdataSQLite(0), 2024.04.04 14:26:20.488, PARAM,SEVERE, 219, Certificate verification failed, due to: invalid certificate verification context. WCCOActrl (2), 2024.04.04 14:33:50.134, PARAM,SEVERE, 219, Certificate /C=AT/ST=Burgenland/L=Eisenstadt/O=ETM/OU=RD/CN=root-cert verification failed, due to: self-signed certificate in certificate chain.
Table 25. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
{WCCOA Manager or proxy} ({number}){log time}PARAMSEVERE219Certificate {CERTIFICATE DETAIL} verification failed, due to: {DETAIL}.
Additional Details
{CERTIFICATE DETAIL}: Detail information of certificate {DETAIL} can be either one or multiple texts of: "invalid certificate verification context" "CERT_TRUST_IS_NOT_TIME_VALID" "CERT_TRUST_IS_PARTIAL_CHAIN" "CERT_TRUST_IS_REVOKED" "CERT_TRUST_IS_NOT_SIGNATURE_VALID" "CERT_TRUST_IS_NOT_VALID_FOR_USAGE" "CERT_TRUST_IS_UNTRUSTED_ROOT" "CERT_TRUST_IS_CYCLIC" "CERT_TRUST_INVALID_EXTENSION" "CERT_TRUST_INVALID_POLICY_CONSTRAINTS" "CERT_TRUST_INVALID_BASIC_CONSTRAINTS" "CERT_TRUST_INVALID_NAME_CONSTRAINTS" "CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT" "CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT" "CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT" "CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT" "CERT_TRUST_IS_OFFLINE_REVOCATION" "CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY" "CERT_TRUST_IS_EXPLICIT_DISTRUST" "CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT" "unknown error: " + some error value ...

This event is issued by one of the WinCC OA Managers or Proxy in case of a general certificate error. The description contains the details, for example: certificate chain broken, untrusted root, certificate is revoked, ...

It indicates an erroneous or malicious connection attempt from remote.

Test Information

Connect to event manager via network using an invalid certificate (e.g. revoked or broken certificate).

Open HTTP Port

This message indicates an open port from HTTP control extension.
ID
SE_HTTPPORT
Example
WCCOActrl (2), 2023.05.04 12:05:05.157, SYS, INFO, 2/http, Server listens on Port https:// - 443. WCCOActrl (2), 2023.05.04 12:05:05.157, SYS, INFO, 2/http, Server listens on Port http:// - 80.
Table 26. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (2){log time}SYSINFO2/httpServer listens on Port {HTTP TYPE}:// - {PORT NO}.
Additional Details
  • {HTTP TYPE}: http or https (encrypted http) format
  • {PORT NO}: Port number that was opened for network communication (see TCP/IP protocol information)
This event is logged from HTTP control extension that runs within the process of WinCC OA Control Manager. It indicates the successful start of both Control Manager and of the control extension and the readiness for being connected in Server Side Auth login process or for static html server services. It shows the open ports for http(s) after start of the hosting manager.
Test Information

Start Control Manager manually either using a script that calls the httpServer() function or using webclient_http.ctl script

Open Port from Node.js

This message indicates an open port from Node.js addon.
ID
SE_NODEJS_PORT
Example
node (3), 2023.12.07 14:31:49.307, SYS, INFO, 1/javascript, Server listens on Port https:// - 443. node (3), 2023.12.07 14:31:49.307, SYS, INFO, 1/javascript, Server listens on Port sftp:// - 22.
Table 27. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
node (3){log time}SYSINFO1/javascriptServer listens on Port {PROTOCOL}:// - {PORT NO}.
Additional Details
  • {PROTOCOL}: protocol used for the port
  • {PORT NO}: Port number that was opened for network communication (see TCP/IP protocol information)
This event is logged from Node.js addon that runs within the process of the Node.js executable and is connected to WinCC OA. It indicates the successful start of both Node.js and the Node.js addon and the readiness for being connected.
Test Information

Start JavaScript Manager manually using a script that calls reportOpenPort() on the WinccoaManager instance in JavaScript

Unauthorized HTTP connect

This message indicates an unauthorized connection attempt to the http(s) server.
ID
SE_HTTPAUTH_UNAUTH
Example
WCCOActrl (2), 2023.12.04 10:28:55.005, PARAM,WARNING, 7/http, Unauthorized connect from para@md639abc.etm.net, /_info
Table 28. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (2){log time}PARAMWARNING7/httpUnauthorized connect from {user}@{peer host}, {uri}
Additional Details
  • {user}: User attempting connection
  • {peer host}: Host name of connecting peer
  • {uri}: Requested uri without query parameters
This event is logged from HTTP control extension that runs within the process of WinCC OA Control Manager. It indicates the failed attempt of connecting to the http(s) server. It shows the user, the hostname of the peer and the requestes uri. Multiple failed authentications can indicate attempts of unauthorized access to the System.
Test Information

Login with invalid credentials (login panel) while serverside authentication and httpAuth are activated.

Unauthorized HTTP connect from root

This message indicates an unauthorized connection attempt to the http(s) server from the root user.
ID
SE_HTTPAUTH_UNAUTH_ROOT
Example
WCCOActrl (2), 2023.12.04 10:51:10.428, PARAM,WARNING, 8/http, Unauthorized connect from root@md639abc.etm.net; 'root' is no valid account for http server, /_info
Table 29. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOActrl (2){log time}PARAMWARNING8/httpUnauthorized connect from root@{peer host}; 'root' is no valid account for http server, {uri}
Additional Details
  • {peer host}: Host name of connecting peer
  • {uri}: Requested uri without query parameters
This event is logged from HTTP control extension that runs within the process of WinCC OA Control Manager. It indicates the failed attempt of connecting to the https server with the root user. The root user is not allowed for authentication against the http(s) server.
Test Information

Login with the root user (login panel) while serverside authentication and httpAuth are activated.

USER IDENTIFICATION AND AUTHENTICATION

Log messages for IACS User Identification and Authentication (login and OS authentication)

Failed Login

This event appears when an failed login attempt is made.
ID
SE_NETWORK_UNSUCCESSFUL_LOGON
Example
WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,SEVERE, 201/OaLogin, Failed Login, User: root
Table 30. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOAui (2){log time}PARAMSEVERE201/OaLoginFailed Login, User: {USER}
Additional Details
  • {USER}: Name of the attempting user
This event indicates the failed attempt to login to the system and is written after the user authentication.

Multiple occurrences of this event in a short time can indicate attempts of unauthorized access to the System.

Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Add a WCCOAui Manager with following options: "-p vision/login.pnl"
  5. Start this manager and enter invalid user credentials into the panel and click the login-button

Logoff

This event appears when a user is logged off
ID
SE_LOGOFF
Example
WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,INFO, 202/OaLogin, Logoff, User: root
Table 31. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOAui ({manager number}){log time}PARAMINFO202/OaLoginLogoff, User: {USER}
Additional Details
  • {USER}: Name of the logged off user
This event should be paired to its Successful Login event. A missing logoff event indicates a forgotten logoff in case no auto-logoff is set.
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Configure the PanelTopology in a way that it is possible to logoff e.g. Template: "ETMMENU"
  5. Add a WCCOAui Manager with following options: "-p vision/login.pnl"
  6. Start this manager and enter valid user credentials into the panel and click the login-button
  7. Logoff via the panel

Successful Login

This event appears when a user successfully logs into the system.
ID
SE_NETWORK_SUCCESSFUL_LOGON
Example
WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,INFO, 200/OaLogin, Successful Login, User: root
Table 32. Symbolic Log Message Components
SourceTime StampCategoryTypeEventIDLog Message
WCCOAui (2){log time}PARAMINFO200/OaLoginLogin successful, User: {USER}
Additional Details
  • {USER}: Name of the logged in user
This event indicates the login of a user into the system and is written after the user authentication. It delivers information for forensic about which users logged in at which time.
Test Information
  1. Open WinCC OA administrator
  2. Create a new project or select an existing one
  3. Start WinCC OA console
  4. Add a WCCOAui Manager with following options: "-p vision/login.pnl"
  5. Start this manager and enter valid user credentials into the panel and click the login-button